diff options
| author | Simon Charette <charette.s@gmail.com> | 2022-06-19 23:46:22 -0400 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-07-06 07:40:07 +0200 |
| commit | 877c800f255ccaa7abde1fb944de45d1616f5cc9 (patch) | |
| tree | 1fd6fa46ea847249eab6339213d4de5ee8f05f65 /docs | |
| parent | 73766c118781a7f7052bf0a5fbee38b944964e31 (diff) | |
Refs CVE-2022-34265 -- Properly escaped Extract() and Trunc() parameters.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/4.1.txt | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/4.1.txt b/docs/releases/4.1.txt index ad6400c665..49bbf2dec2 100644 --- a/docs/releases/4.1.txt +++ b/docs/releases/4.1.txt @@ -459,6 +459,20 @@ backends. ``DatabaseOperations.insert_statement()`` method is replaced by ``on_conflict`` that accepts ``django.db.models.constants.OnConflict``. +* Several date and time methods on ``DatabaseOperations`` now take ``sql`` and + ``params`` arguments instead of ``field_name`` and return 2-tuple containing + some SQL and the parameters to be interpolated into that SQL. The changed + methods have these new signatures: + + * ``DatabaseOperations.date_extract_sql(lookup_type, sql, params)`` + * ``DatabaseOperations.datetime_extract_sql(lookup_type, sql, params, tzname)`` + * ``DatabaseOperations.time_extract_sql(lookup_type, sql, params)`` + * ``DatabaseOperations.date_trunc_sql(lookup_type, sql, params, tzname=None)`` + * ``DatabaseOperations.datetime_trunc_sql(self, lookup_type, sql, params, tzname)`` + * ``DatabaseOperations.time_trunc_sql(lookup_type, sql, params, tzname=None)`` + * ``DatabaseOperations.datetime_cast_date_sql(sql, params, tzname)`` + * ``DatabaseOperations.datetime_cast_time_sql(sql, params, tzname)`` + :mod:`django.contrib.gis` ------------------------- |
